physics to influence the output of sensors. The community can reduce these
risks by designing sensors to be continuously checkable for security properties and by increasing opportunities
for students to master the physics of
computer security and principles of
1. Alert (ICS-ALER T-17-073-01A). MEMS
Accelerometer Hardware Design Flaws (Update A),
(Apr. 11, 2017); http://bit.ly/2Cj TdcD.
2. Analog Devices Advisory to ICS-ALERT-17-073-01
(Apr. 2017); http://bit.ly/2EPF9cc.
3. Arndt, D. Alaskan North Slope climate change just
outran one of our tools to measure it. (Dec. 6, 2017);
4. Foo Kune, D. et al. Ghost Talk: Mitigating EMI
signal injection attacks against analog sensors. In
Proceedings of IEEE Symposium on Security and
Privacy (Oakland, CA), May 2013.
5. Francillon, A., Danev, B., and Capkun, S. Relay attacks
on passive keyless entry and start systems in modern
cars. In Proceedings of Network and Distributed
System Security Symposium (NDSS), The Internet
6. Fu, K. Pacemaker recall exposes national need for
research and education in embedded security. In
Computing Community Consortium (CCC), (Sept.
7. Liu, J., Yan, C., and Xu, W. Can you trust autonomous
vehicles: Contactless attacks against sensors of self-driving vehicles. In DEFCON24 (Aug. 2016);
8. Neumann, P.G. Fundamental trustworthiness
principles. In New Solutions for Cybersecurity. In
MIT Press/Connection Science, H. Shrobe, D. Shrier, A.
Pentland, Eds., Cambridge, MA, 2018.
9. Nguyen, T. Cumulative interference to aircraft radios
from multiple portable electronic devices. In IEEE
Conference on Digital Avionics Systems, 2005.
10. Parnas, D.L. Education for computing professionals. In
IEEE Computer 23, 1 (Jan. 1990), 17–22.
11. Parnas, D. L. Software engineering programmes are
not computer science programmes. In Annals of
Software Engineering 6 (1998), 19–37. (Reprinted in
IEEE Software (Nov./Dec. 1999), 19–30.
12. Rouf, I. et al. Security and privacy vulnerabilities of
in-car wireless networks: A tire pressure monitoring
system case study. In Proceedings of USENIX
Security Symposium, (Aug. 2010).
13. Son, S. et al. Rocking drones with intentional sound
noise on gyroscopic sensors. In Proceedings of
USENIX Security Symposium (Aug. 2015).
14. Trippel, T. et al. WALNUT: Waging doubt on the
integrity of MEMS accelerometers with acoustic
injection attacks. In Proceedings of IEEE European
Symposium on Security and Privacy (Euro S&P), (Apr.
15. Zhang, G. et al. DolphinAttack: Inaudible voice
commands. In Proceedings of ACM Conference on
Computer and Communications Security (CCS),
Kevin Fu ( email@example.com) is Associate Professor
of Electrical Engineering and Computer Science at the
University of Michigan.
Wenyuan Xu ( firstname.lastname@example.org) is Professor and Chair of
the Department of Systems Science and Engineering at
The authors thank Steve Bellovin, Robert Dick,
Peter Denning, Nancy Leveson, Peter Neumann,
David Parnas, Jerry Saltzer, Zeynep Tufekci,
and Ben Zorn for their review comments.
This work is supported by NSF CNS-1330142. The views
and conclusions contained in this column are those of
the authors and should not be interpreted as necessarily
representing the official policies, either expressed or
implied, of NSF.
Copyright held by authors.
early exposure to interdisciplinary
teamwork in classes and internships.
However, not all engineers must master the underlying physics of computer
security. Instead, every team member
needs a basic awareness of the risks. A
system always includes risks that will
fall outside an individual team member’s area of expertise. Thus, each engineer has an ethical responsibility to
maintain awareness of analog security
risks, inform management of uncontrolled risks, and know when to ask for
expert help from a team leader.
The notion of interdisciplinary education is not new to computer science.
In the 1990s, the software engineering community debated a shift toward
interdisciplinary education beyond
the confines of computer science. 10, 11
Similarly, a good engineer for embedded security will not simply be a good
computer scientist or a good programmer. Interdisciplinary education and
teamwork is key to ensuring security of
sensor-driven, safety-critical systems.
Educational opportunities for embedded security. Aspiring system-se-curity engineers need opportunities to
learn fundamentals of embedded security. However, computer science cur-ricula have little room to add material
given the pressure to meet the industry’s demand for gifted programmers.
How can computer science programs
create expert embedded security graduates under these constraints? Computer science cannot succeed alone.
Engineering schools should offer
interdisciplinary educational pro-
grams for ambitious students to
learn how to protect cyberphysical
systems. Students would learn not
just fundamentals of computer sci-
ence and computer security, but also
the physics of computational ab-
stractions. A software engineer may
take computer security courses to
learn threat modeling, cryptography,
and secure programming method-
ologies. To master the concepts and
skills for embedded security, an en-
gineer would also take courses that
teach the fundamentals of signals
and systems, communication theory,
and classical physics. For instance, de-
fending against transduction attacks
involves spectral analysis, mechanical
resonance, and modulation. Students
wishing to become experts in embed-
ded security must understand how
each layer of computation from sen-
sors to human behavior can fail when
subjected to adversarial interference.
Back to basics. Students are losing an
appreciation for the physical machines
that implement computational abstractions. Students graduating from departments that diminish the role of computing machinery will not be prepared
to create trustworthy cyberphysical systems. For instance, students unaware of
transduction attacks may falsely believe
that verified software is failure-proof.
Math-centric departments tend to avoid
courses that emphasize building physical systems. If a department eliminates
computer architecture, students may
seek comfort hiding behind a beautiful Java facade rather than facing the
ugly limitations of computing machinery. Even engineering-centric computer
science departments succumb to this
problem. Students may desire immediately marketable programming skills
over understanding the fundamental
limitations of the machines on which
their software runs.
Students creating the next generation of trustworthy cyberphysical systems need an exposure to the physical
limitations of the machines implementing each abstraction. An effective way to do this is to include labs
featuring experiments of the kinds
suggested earlier in this column. Tomorrow’s software engineer must
master both math-centric and engineering-centric skills while understanding the physical limitations of
computational machinery. This topic
deserves a longer conversation.
Sensors are vulnerable to spoofing by
transduction attacks. Cyberphysical systems must cope with analog
threats that an adversary could exploit without any special-purpose
equipment. Automobiles decide
whether to deploy an airbag based on
data from accelerometers. 14 Pacemakers and defibrillators decide whether
to emit shocks based on data from
cardiac sensors. 6 It is inevitable and
predictable that hackers will try to
manipulate sensors to cause havoc.
Autonomous systems making safety-critical decisions should remain safe
even when an adversary can exploit